Contact Tracing Survey Information of 750,000 Hoosiers Exposed On the Internet

The personal information of 750,000 Hoosiers gathered together with a COVID-19 contact tracing survey performed by the Indiana Department of Health was exposed on the internet and downloaded by an organization not allowed to get access to the data. The survey included data like names, dates of birth, addresses, emails, and details on race, ethnicity, and gender.

The Indiana Department of Health was informed concerning the unauthorized information access on July 2, 2021 and quickly took steps to protect the data to avoid further unauthorized access. Based on Tracy Barnes, the Chief Information Officer of the state of Indiana, the firm that accessed and obtained the information was a company that deliberately seeks software vulnerabilities, then attempts to seek business.

Last week, the Indiana Department of Health acquired a signed “certificate of destruction” from the organization confirming the downloaded data was forever destroyed and that no copies of the information were kept. The company additionally confirmed the downloaded information was not disclosed to any other firm or individual. The Indiana Department of Health stated the data were recovered on August 4, 2021.

State Health Commissioner Kris Box is convinced that the risk to state residents is nominal, especially thinking about the compromised information did not contain highly sensitive data like health information, health insurance details, Social Security numbers, or financial data.

According to the investigation results, the reason for the data exposure was a software setup issue, which left the data accessible online. Presently it is uncertain if any person besides those at the cybersecurity firm downloaded the information while they were open on the Internet.

Barnes stated that the Indiana Department of Health takes the security and integrity of information very seriously. The software configuration has been corrected and there will be an aggressive follow-up to make sure that no records were saved. Indiana’s Office of Technology will conduct scans on a regular basis to make certain that the downloaded records is not given to third parties.

Notification letters are being provided to affected persons to let them know of the privacy breach, and the state mentioned it will be providing a one-year membership to a credit monitoring service given by Experian to people impacted by the breach.

The Indiana Department of Health didn’t name the organization concerned, but some sources say it is UpGuard, an organization that routinely scans the Internet for misconfigured cloud services to find sensitive exposed data. The organization is proactive in looking for security vulnerabilities and exposed information and has discovered a lot of cases where sensitive records were left unprotected. In all cases, the company notifies the entities affected to make sure information is secured to avoid the falling of sensitive data into the hands of cybercriminals.

According to UpGuard spokeswoman, Kelly Rethmeyer, its team gave a note to the state of Indiana to inform them about an API that was configured for public access. Upon checking out the information, it was confirmed that the data was sensitive and that it must not be made public.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at